Expert: Certified Microsoft applications reach security pinnacle
- By Michael Arnone
- Dec 14, 2005
Eight of Microsoft’s widely used applications now have the highest assurance level for information security thought possible for commercial products, a security expert said today.
The company announced today that six varieties of Microsoft Windows Server 2003 and two varieties of Microsoft Windows XP now meet Evaluation Assurance Level (EAL) 4+ of the Common Criteria.
The Common Criteria are a set of internationally recognized standards of assurance for sharing classified information among government agencies. Meeting those standards is essential for companies to win federal contracts that include handling classified information.
EAL 4 probably is the highest assurance level that a complex, commercially developed product can achieve, said Helmut Kurth, chief scientist and lab director at atsec, an information technology security-consulting firm. Kurth wrote the security standards on which the Common Criteria are based.
Higher EAL levels are possible only with applications that are designed initially with security as their driving force, Kurth said. EAL certifications range from 1 to 7, and 7 is the highest.
“EAL 4 has become a kind of standard for all general-purpose operating systems,” Kurth said. Sun Solaris, IBM AIX and Microsoft Windows 2000 have all achieved that certification, he said.
EAL 4 reasonably assures users that their operating systems, together with firewalls and other security measures, will protect them from standard attacks, Kurth said.
The “+” in the EAL 4+ rating means that the certified application exceeds the requirements for compliance, Kurth said.
Microsoft configured the applications submitted for evaluation to reflect configurations that customers actually run, instead of stripped-down versions that would get certified more easily, said Steven Lipner, Microsoft’s senior director of security engineering strategy.
By doing that, Microsoft allows application users to trust more of the applications’ security functions, Kurth said. Users “don’t have to violate the evaluation just for the purpose of gaining something useful,” he said.
By acquiring Common Criteria certification, “customers can have a higher degree of confidence that the security features in those products meet independent standards for completeness, consistency and quality,” Lipner said.
Microsoft is working on Common Criteria certification for other products, including its new Windows Vista operating system, Lipner said.